On World Password Day, cybersecurity experts are drawing attention to a major transition away from relying on passwords as the main line of defence. This shift is being driven by the rise of AI-powered cyberattacks, which are making it significantly easier to compromise login details in the rapidly expanding world of interconnected IoT devices.
Rather than inventing new ways to crack passwords, AI is dramatically increasing the scale at which they are stolen. It does this by enabling far more persuasive phishing attacks, identity spoofing, and social engineering operations aimed at both individual users and connected systems.
As both commercial and industrial IoT networks grow in size, security measures have found it difficult to keep up, leaving many organisations vulnerable across their connected infrastructure.
While World Password Day offers a useful moment to reflect on these dangers, specialists stress that the problem is no longer just about picking tougher passwords. It points to a much wider challenge: managing identity and access across vast, complex digital and IoT landscapes.
“AI doesn’t fundamentally alter the method of cracking passwords; it simply makes stealing them through trickery far more effective,” explains Adrian Podkaminer, Head of Security at the digital entertainment marketplace G2A.COM.
“Weak or reused passwords continue to be one of the top entry points for attackers, but the threat picture is also shifting thanks to AI-driven phishing and social engineering. Adversaries are increasingly harnessing generative AI to ramp up credential-collection operations, craft more believable impersonation attempts, and generate fraudulent messages that are increasingly difficult to tell apart from genuine ones.
An ongoing, managed process
Chris Newton-Smith, CEO at information security and data privacy specialist IO, argues that organisations need to abandon the idea of treating security as a series of isolated events.
“The core issue isn’t simply that employees pick weak passwords. It’s that businesses approach security as a set of one-off tasks rather than as an ongoing, managed process,” he explains. “Good password practices are important. But they’re just one piece of a much larger puzzle. The real question to ask today isn’t ‘how robust is our password policy?’ It’s ‘what measures are we taking on the other 364 days of the year?'”
This problem is even more severe in IoT settings, where authentication isn’t just for people. Devices, sensors, and automated systems all need digital identities, often in very large numbers, creating a security challenge far more complicated than anything seen in traditional IT environments.
Despite these complexities, passwords are still widely used across IoT deployments — including default credentials and weak or reused logins that are seldom updated. This broadens the attack surface considerably, making it difficult to monitor and even harder to secure with any consistency.
Michael Downs, Vice President at zero trust access solutions firm SecurEnvoy, points out that multi-factor authentication (MFA) — which requires two or more forms of verification before granting access — has not yet been adopted as standard by most UK businesses.
“The issue isn’t simply that people need stronger passwords. The fact is, password discipline alone cannot protect you once credentials are leaked or sold on the dark web — and they are leaked all the time,” he notes. “Only 47% of organisations have rolled out MFA as standard practice, meaning the majority are just a single credential breach away from a serious security incident.”
In IoT environments, one compromised credential can be all it takes to expose entire fleets of devices or gain a foothold into broader operational networks.
Security researchers caution that attackers increasingly take advantage of predictable human tendencies rather than trying to force their way in through brute-force methods. Password reuse, slight variations of old passwords, and foreseeable patterns remain widespread in both consumer and corporate settings.
Tomer Bar, Associate VP of Security Research at security and resilience company Semperis, describes how these weaknesses are exploited on a massive scale:
“When people create lengthy passwords, they tend to choose memorable options — such as repeating patterns, slight tweaks to old passwords, predictable phrases, or popular song lyrics, quotes, and memes — instead of truly random character strings.”
Precomputed hash attacks
Attackers then weaponise these habits using methods such as precomputed hash lookups:
“They also build rainbow tables — large databases of precalculated password hashes. Since most systems store hashes rather than the actual passwords, a rainbow table lets an attacker match a hash back to the original password, provided that password exists in the table.”
While these attack techniques are not new, IoT environments magnify their impact owing to the sheer volume of connected devices, inconsistent security controls, and limited visibility across distributed systems.
Bar recommends using a password manager to create and store long, genuinely random passwords, and never reusing them across different accounts. He advises enabling multi-factor authentication wherever possible, and for the few passwords you need to memorise, using lengthy, unique passphrases made up of unrelated, randomly chosen words.
You’ll find plenty more editorial content on our sister site, Electronic Specifier! Feel free to join the conversation by commenting below or visiting our LinkedIn page.
